fix(security): invite links must not log in accounts with credentials
A registration/re-invite link auto-established a session for any existing active user, so re-inviting a fully set-up user acted as a passwordless login. Invite links are for account setup only. After consuming the token, refuse to establish a session when the target account already has a password or WebAuthn credential. Credential-less accounts (e.g. freshly created by initial-admin) can still complete setup. Account recovery for set-up accounts must use a separate, authenticated flow. Refs: porchlight-a3a Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
parent
e4eb539e3f
commit
faeecaed59
2 changed files with 36 additions and 1 deletions
|
|
@ -86,6 +86,18 @@ async def register_magic_link(request: Request, token: str) -> Response:
|
|||
if existing_user is not None:
|
||||
if not existing_user.active:
|
||||
return HTMLResponse("<p>This account has been deactivated.</p>", status_code=400)
|
||||
# An invite link is for account setup, not authentication. If the
|
||||
# account already has credentials, refuse to establish a session —
|
||||
# otherwise a re-invite would be a passwordless login. Account
|
||||
# recovery must go through a separate, explicitly authenticated flow.
|
||||
cred_repo = request.app.state.credential_repo
|
||||
has_password = await cred_repo.get_password_by_user(existing_user.userid) is not None
|
||||
has_webauthn = bool(await cred_repo.get_webauthn_by_user(existing_user.userid))
|
||||
if has_password or has_webauthn:
|
||||
return HTMLResponse(
|
||||
"<p>This account is already set up. Please sign in instead.</p>",
|
||||
status_code=400,
|
||||
)
|
||||
user = existing_user
|
||||
else:
|
||||
userid = await generate_unique_userid(user_repo)
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue